Proprioceptive Sensors’ Fault Tolerant Control Strategy for an Autonomous Vehicle

In this contribution, a fault-tolerant control strategy for the longitudinal dynamics of an autonomous vehicle is presented. The aim is to be able to detect potential failures of the vehicle’s speed sensor and then to keep the vehicle in a safe state. For this purpose, the separation principle, composed of a static output feedback controller and fault estimation observers, is designed. Indeed, two observer techniques were proposed: the proportional and integral observer and the descriptor observer. The effectiveness of the proposed scheme is validated by means of the experimental demonstrator of the VEDECOM (Véhicle Décarboné et Communinicant) Institut.


Introduction
The development of autonomous vehicles is enjoying a huge infatuation among the scientific community around the world. Hence, the research projects are globally intended to reduce traffic accidents, cut down fuel consumption and increase the efficiency of transportation systems, as well as passengers' safety. In fact, vehicles' automated systems have seen a significant advancement in a few decades, and several commercial cars are equipped with smart ADAS systems. Additionally, some leading companies around the world have shown promising results of fully-autonomous driving vehicles, such as the Google Car, Cruise of GM and the Tesla Autopilot. From this perspective, the SAE On-Road Automated Vehicle Standards Committee assessedr the classification of autonomous vehicles [1]. The Information Report provides a taxonomy for motor vehicle automation ranging in level from no automation to full automation. Thus, high levels of automation (namely 4 and 5) exclude the driver as a fall-back solution and must operate under specific environments (Level 4) or in all possible situations (Level 5), by ensuring autonomous monitoring of the surrounding area, the performance of the sensors and the algorithms and by deciding on the actions to maintain the vehicle in a safe state. Consequently, the monitoring of the performance of vehicle sensors is critical, as long as the entire operation of the car depends deeply on the sensors' information. Indeed, the sensors' reliability is a serious concern, especially since the architecture of an autonomous vehicle includes the tasks of: perception, localization, planning, control and system management, which share information with each other [2]; that is why a single faulty task can result in the dangerous behaviour of the vehicle.
From this perspective, it is necessary to design a fault tolerant control mechanism that can diagnose faults and preserve a safe vehicle behaviour even under faulty or degraded sensing. Furthermore, Section 3. Section 4 shows the experimental results and discussions. Concluding remarks of this contribution are given in Section 5.

Materials and Methods
To tackle the probable proprioceptive sensor faults, an active fault tolerant strategy based on the separation principle is designed. The FTC scheme consists of: a Static Output Feedback controller (SOF) and a fault estimation observer. Hence, the SOF ensures the tracking of the reference speed, and it is designed in the nominal case (faultless scenarios). The aim of the separation principle is to keep the controller running always in the nominal case, even if faults are occurring. This is made possible by subtracting the estimated fault from the measurement signal, in such a way that the controller uses a healthy speed signal (see Figure 1). The proper functioning of the proposed scheme is ensured by the robustness of the controller and the perfect fault estimation provided by the observer [23]. In this study, we are interested in designing a controller and two observers for the vehicle longitudinal dynamics in the Adaptive Cruise Control (ACC) driving scenario. Furthermore, the single track representation is advantageous in ensuring simplicity. The vehicle dynamics relies on the following assumptions [42][43][44]: • The road is assumed to be a plane (no slope, no inclination); • The lateral dynamics is not considered; • Yaw, pitch and roll dynamics are neglected.
Considering the above assumptions, the longitudinal vehicle dynamics can be expressed by the following equations (see Figure 2): where the vehicle parameters are expressed in Table 1. Adopting a single track modelling by defining: 4 ,ω r f =ω r 1 =ω r 2 ,ω r r =ω r 3 =ω r 4 ,J r =J r 1 +J r 2 , J r = J r 3 + J r 4 We obtain the following equation:  Substituting F x f and F x r in Equation (1) leads to: The longitudinal slip ratio hypothesis can be written as: leading to rω r = V x , then rω r =V x . Substitutingω r in (3), we obtain: Denoting T b = T b f + T b r , T r = T r f + T r r , we get: where J eq = (rm +J r + J r r ), T eq = T m − T f − T r , F a = aV x + bV 2 x and a and b are aerodynamic coefficients. T eq is the torque given by the engine and the brake system; its dynamics is subject to loss and to a decay rate. To overcome this problem, we assume a first order dynamics, with a time constant τ [26]:Ṫ Finally, the vehicle longitudinal dynamics is given in the quadratic form by combining (5) and (6) as follows: The model (7) can be written in the following Lipschitz nonlinear form: with: Taking into account the exogenous disturbances: where d(t) is the disturbance signal and W the disturbance distribution matrix of the appropriate dimension.
In order to design the controller and the observers, we adopt the following hypothesis and algebraic lemmas: Hypothesis 1. The nonlinear terms are considered to be a smooth Lipschitz function satisfying the following relation: where x 1 , x 2 ∈ R n and l is a positive Lipschitz constant.

Hypothesis 2.
The sensor faults f s (t) and the exogenous disturbances w(t) are assumed to be bounded: where f max and w max are constant scalars.
Lemma 1 (Schur complement). Given the matrices S ∈ R n×n , M ∈ R n×m and Γ ∈ R m×m , the following implication holds [45]: Lemma 2. Consider matrices A, B and a scalar δ; the following inequality holds [32]: Lemma 3 (Elimination lemma). Assume matrices Q ∈ S n , B ∈ R m×n and C ∈ R p×n . Thus, the following statements are equivalent [46]:

Static Output Feedback Controller Design
The controller must ensure a robust tracking of the reference signal against mismodelling dynamics and model noises. Indeed, for the sake of convenience with the separation principle, the SOF controller is designed in this subsection. In fact, this control technique is more appropriate with the longitudinal vehicle dynamics model. The output feedback theory is an active research area, and several works are presented in the literature [47]. These works aim to overcome the multiple challenges of the output feedback methodology.
In order to design the SOF controller, we rewrite the system (3) in the following form: where z is the performance output vector, with C z , B z and W z being matrices of appropriate dimensions. The stabilizable static output feedback controller is given by: The real problem of the static output feedback control design lies in the difficulty of designing the gain K SOF when the matrix C is singular (as in our case). To deal with this issue, the system parametrization of Lemma 4 is adopted [48]. (14) minimizing an optimal H ∞ criterion γ 2 00 for a SOF controller is given by:

Lemma 4. The parametrization of System
Proof. Let us consider the following relation: Deriving the relation (17) yields: Developing (18), by using the model (14), gives: Based on Hypothesis 1 and Lemma 2, the relation (19) can be written in the quadratic form of (20).
Using the Schur complement, we obtain: The expression (16) can be obtained easily after that concluded from (21) by factorization, and that ends the proof.
Using the compact form of parametrization lemma, the optimal control gain is then obtained by the following theorem: (14) is stabilizable by the static output feedback controller K SOF , and minimizing a H ∞ criterion γ 2 00 , if there exist, a positive semidefinite matrix P ∞ ∈ R 2×2 , matrices Q 00 ∈ R 1×1 , Q 01 ∈ R 1×1 , K SF ∈ R 1×2 , K w ∈ R 1×2 and scalars δ 00 and γ 00 , such that the following constraints are satisfied [48]: The static output feedback controller can finally be deduced by: Proof. Taking advantage of the parametrization lemma (Lemma 4), the closed loop formulation of the static output feedback H ∞ control problem can be written as follows: By application of Lemma 3, we obtain: Factorizing the matrix Q 01 in (24) (Note that for this purpose, the matrix Q 01 must be invertible. This exigence is verified, since the block (3, 3) of (24) reads Q 01 + Q T 01 < 0.), we get: LMI summarised in Relation (22) can be easily deduced from Relation (25), by taking the following notations:

Remark 1.
It is clear that Theorem 1 is a non-convex optimization problem, and its solution seems to be non trivial. To overcome this issue, an initialization of the variables K w and K SF can be obtained reasonably by solving the following H ∞ optimal problem [48]: Finally, we obtain: Proof. For brevity, the proof is omitted here, but the reader can refer to [48] and the references therein.
The cross-decomposition Algorithm 1 to design the optimal static output feedback controller is then given as follows: The cross-decomposition algorithm.
1. Initialization step (k = 1): solve LMI (26) and choose K SF and K w ; 2. Iterative step (k): (a) first part: solve LMI of Theorem 1, and fix Q 01 and Q 00 ; (b) second part: solve LMI of Theorem 1, and fix K SF ; where is a desired performance determined by the designer.

Proportional and Integral Observer Design
The proportional and integral observer has been broadly developed and applied in recent years for the topic of fault diagnosis and fault tolerant control [49]. It has a strong ability in obtaining fault information, such as the size and the shape. Indeed, the additive sensor fault can be estimated for the faulty system of the following form: where f s is the additive sensor fault and F is the fault matrix distribution. The proportional and integral fault estimation observer of the system (27) is described by [50]: To calculate the observer gains L p and L I , we adopt the following considerations: • The estimated state error e is defined as is a weighting matrix to be designed).
By taking into account the latter considerations, the dynamics of estimated state error and estimated fault error are written: whereg = g(x(t)) − g(x(t)). Based on (28) and (29), an augmented system of the following form can be written: where: In order to make the residual signal r insensitive to external disturbances w, we propose the following property: The H ∞ criterion ensuring the disturbances rejection is written as follows [51]: Theorem 2. The nonlinear Lipschitz Proportional and Integral Observer (28) is asymptotically stable, if there exist positive definite matrices P 1 and P 2 , matrices U 1 , U 2 and N 1 and positive scalars δ i , (i = 1, 2), λ and γ, such that the following LMI is verified: and: Finally, the observer gains are calculated: Proof. Consider the following multiple Lyapunov function, where matrices P 1 = P T 1 and P 2 = P T 2 are symmetric definite positive matrices: Deriving (41) and using Property 1 and L 2 , based on Lyapunov theory, we obtain: Using Hypothesis 1 and Lemma 2, we get: and: Remark 2. The matrixĪ is the consequence of applying Lemma 2 and Hypothesis 2; it characterizes in which system states the nonlinearities are applied. On the other hand, the residual signal is rewritten to fit in the dimension with the expression (42), in such a way that: C 0 = C 0 1×2 and N T 1 = N T 0 T 2×1 . Additionally, the matrix I 2 is written as follows: Using the Schur Complement (Lemma 1) three times and denoting U 1 = P 1 L, U 2 = P 2 L yields the LMI constraints of (35)- (39), and that ends the proof.

Descriptor Observer Design
The descriptor observer is based on the descriptor systems approach. The idea is to assume the additive sensor faults as a system state, in such a way that the resulting augmented system represents a descriptor system. Thus, the descriptor observer tends to estimate physical system states and the additive faults thanks to the appropriate gain matrices [52].
In order to design the descriptor observer, the system (27) is rewritten in the following augmented form: with: The nonlinear Lipschitz descriptor observer leading to the estimate of the system states and the sensor faults is written as follows: z is an internal variable, , where Θ and R are chosen in such a way thatĒ is nonsingular.
Let us define the error e =x −x and the free faults' residual r = N 2 (y −ŷ) = N 2 C 0 e (where N 2 is a weighting matrix to be designed). Indeed, the following error dynamics: e =Se +Gg +Ww (48) From (27) and (48), we have the following augmented system: The stability of the system (49) is ensured, using Property 1, and the L 2 -gain form, if the LMI condition summarized in the following Theorem holds: Theorem 3. The nonlinear augmented Lipschitz descriptor system is asymptotically stable, if there exist positive definite matricesP 11 ,P 12 , andP 2 , matricesN 1 ,N 2 and N 2 and positive scalarsλ,γ and δ i (i = 3, 4), such that the following LMI condition is satisfied: and: The estimated fault is written as follows: where:f Proof. Consider the following Lyapunov function, whereP 1 =P T 1 > 0 andP 2 =P T 2 > 0 are symmetric definite positive matrices, of appropriate dimensions: Deriving (56) and using Property 1, as well as the L 2 -gain form, we obtain: Using Hypothesis 1 and Lemma 2, Equation (57) can be written as follows: with: Using the Schur complement twice: where Γ 1 = H(P 1S ) + δ 3 l 2Ī + I.

Experimental Bench
This section is devoted to the evaluation of the proposed fault tolerant scheme through a real driving scenario data. For that purpose, the VEDECOM demonstrator is used (you can refer to Figure 3). This demonstrator, is a bi-mode electric and connected vehicle. Further, it is based on a Renault Zoe electric vehicle, and equipped by VEDECOM teams with several autonomous requirements equipments as Lidar (Velodyne VLP-16, VELODYNE LIDAR Inc., San Jose, CA, USA), Radar (Continental ARS-3XX series, CONTINENTAL AG, Hanover, Germany), GPS-RTK sensors and a DSpace MicroAutoBox (MABx) real time embedded computer. The wheel speeds, the motor speed and the steering wheel angle are measured by the sensors embedded in the vehicle architecture for ABS (Anti-lock Brake System) and ESP (Electronic Stability Program). The experiments were conducted on the Satory test track (see Figure 4). The approach consists of self-driving mode, obeying a given reference speed profile, and in addition, recording the measured speed, the acceleration and braking torques of the vehicle, thanks to the CAN bus. This experimental data help us to validate the proposed fault tolerant scheme. Proceeding in this way allows us to properly evaluate our FTC proposition.
Indeed, this methodology provides us the assurance that the lateral dynamics (which has not been taken into account in the model dynamics) do not influence the longitudinal speed and fault estimations. The fault tolerant strategies are tested in the real-time software RTMaps (See: https://intempora. com/products/rtmaps.html for more details), which is a modular toolkit for multi-modal applications and provides simplicity to test and validate ADAS and autonomous driving applications. Thus, RTMaps modules of the observers are build from the MATLAB/Simulink scheme. The build task is made with respect to the sampling time of the sensor measurements; to this end, the C++ compilation builder and the Simulink blocks are set to the same sampling time of the measurement logged data, in our case 10 ms.
Nevertheless, before the building of the modules, the LMI conditions of Theorems 2 and 3 are solved in order to obtain the SOF controller DO and PIO gains. These gains, as well as the Lyapunov matrices are given in Appendix A.

Descriptor Observer Results
We want, through this manoeuvre, to give an outline of the autonomous vehicle driving in the case of stop and go. Initially, the vehicle has a velocity of 1 m/s. Then, the vehicle accelerates to reach the speed of 5 m/s. At t = 60 s, the vehicle carries out a deceleration until stopping, and thereafter, at t = 80 s, the vehicle accelerates to reach a velocity of 10 m/s at t = 110 s. On can note that both estimated and measured speed are identical, which proves the convergence of the observer in a finite time with a negligible steady state error.
As we can notice through Figures 5-7, the measured signal and the estimated one are simultaneously represented. The following remarks can be deduced:

•
The estimated states (speed, equivalent torque and fault) converge quickly toward the real states; • The performances obtained are good in dynamic, as well as in static output; • The observation errors are steered to zero in finite time;

•
The estimated vehicle speed seems to be insensitive to the fault variation and, so, in different phases of the considered driving scenario (accelerating phase, decelerating phase and constant speed phase). Moreover, the estimated torque tracks the vehicle control torque with a high attenuation level of the disturbances as depicted in Figure 6a-c.

Proportional and Integral Observer Results
The proportional and integral observer is tested in identical conditions as previously in terms of driving manoeuvre and fault type.
Thus, as depicted in Figure 8a-c, the estimated vehicle speed tracks the measured vehicle speed with attenuation of the disturbances. Additionally, the estimated torque with the proportional and integral observer converges to the control torque (see Figure 9a-c). Furthermore, the estimated fault with the proportional and integral observer struggles to converge in the event of abrupt additive fault variations. In fact, the variations at t = 60 s, t = 100 s and t = 160 s generate a small fault estimation error that needs time to be cancelled (see Figure 10).

Comparison of the Two Observers
Globally, the two observers have shown a high ability to detect and estimate the additive sensors faults, since the separation principle is applied to both observers and the same control approach is designed based on Lyapunov theory.
In fact, the estimated equivalent torque comparison between descriptor observer and proportional integral observer is depicted in Figure 11a. From this figure, we can note that the descriptor observer has a significant disturbance attenuation level compared to the proportional and integral observer. Further, we can notice that the abrupt additive fault variations affect the estimated equivalent torque, as shown in Figure 11b,c. Additionally, estimation error is very small with the proportional and integral observer and negligible with the descriptor observer.
In fact, Figure 12 shows the comparison between the two observers fault estimations, and the Figure 13 shows the comparison of the fault estimation error. One can notice that the descriptor observer estimated fault state tracks the emulated one where the performances are good in dynamic, as well as in static output. On the other hand, the proportional and integral observer seems to present a small estimation error. This error is the consequence of the abrupt variations in the additive fault, and it is due to the proportional and integral observer scheme. The difference between the descriptor observer and the proportional and integral observer in performing fault estimation is due to the nature of the last one. In fact, in a real-time environment, the numerical integration may not be achievable and lead to a highly time-consuming process, thus generating significant estimation errors. However, the vehicle speed estimation by the two observers presents no significant difference (see Figure 14a-c). Indeed, the speed estimation error comparison given in Figure 15 shows a negligible estimation error (around 0.4 ms −1 ).

FTC Results
In order to test the proposed FTC scheme, the closed-loop approach is designed by numerical simulations using MATLAB/Simulink. Furthermore, the proposed adaptive cruise control FTC (depicted in Figure 1) is simulated with the same scenarios of the speed profile and fault.
Indeed, Figure 16a shows the speed profile of the vehicle in blue, which tracks the reference speed in red with the descriptor observer closed-loop FTC. In fact, the vehicle speed is well estimated as shown in the figure (the green line). In addition, the estimation of the additive fault is given in Figure 16b, where we can see a good estimation. On the other hand, the speed profile of the closed-loop FTC with the proportional and integral observer is shown in Figure 16c. The designed static output feedback control shows the good tracking performance of the reference speed. Indeed, the estimated speed converges to the estimated one. Figure 16d shows the estimation of the additive fault given by the proportional and integral observer.
Simulations have been carried out to illustrate the ability of this approach, to give the good performance of the states' estimation and FTC control scheme design in scenarios of autonomous driving. From this prospect, the tests on the vehicle prototype will be implemented.

Conclusions
The purpose of the proposed study is the sensor fault tolerant design of an autonomous vehicle. The designed theory is based on the separation principle. This approach consists of the design, in a separate manner, of a controller (a static output feedback) and a sensor fault estimation observer (a descriptor and a proportional and integral observer). Indeed, this methodology is easy to implement where the controller and observers are considered in a convex LMI optimization problem, avoiding in recourse to the use of the complex Bilinear Matrix Inequalities (BMI) in the case of an observer-based controller concept design. The experimental results of the proposed scheme show a high ability in estimating the additive fault and in maintaining a safe operating behaviour. Additionally, the designed observers have accurately estimated unmeasurable vehicle states (the vehicle equivalent torque), and this ability may be interesting when we do not need to measure a vehicle side slip angle for example or avoiding the design of cascading observers; this is made possible by the Lipschitz model used in this designed control approach. Thus, all vehicle dynamics that can be in Lipschitzian form are eligible for the method studied in this paper. The obtained successful experimental results will represent the basis of our future works in the design of fault detection for vehicle exteroceptive sensors (such as radars, LiDARs and cameras) and where the accurate proprioceptive informations must be highly accurate and fault tolerant. Afterwards, the robustness against parameter uncertainties will be taken into account; thus, the vehicle will be able to operate in all conditions. Author Contributions: M.R.B. designed the approach, carried out the experimentation, generated the results, M.R.B. and A.C. analyzed the results and were responsible for writing the paper, A.C., M.B. and S.G. supervised the research, reviewed the approach and the results to further improve the quality of the paper Acknowledgments: The authors would like to thank the VEDECOM institute, which supports this research. Benoit Lusetti and Lynda Halit for the invaluable help in realizing the data collection.

Conflicts of Interest:
The authors declare no conflict of interest.

Abbreviations
The following abbreviations are used in this manuscript:

Appendix A. The Different Gain Matrices
To solve the LMI conditions of Algorithm 1 and Theorems 2 and 3, we use the penlab solver running under the yalmpi environment of MATLAB. The LMI solutions are given as follows: • The static output feedback controller: The optimization is run for an objective of = 0.1 and took eight steps. The the static output feedback control gain is given: The proportional and integral observer: For an H ∞ criterion of γ = 0.1484 with a L 2 gain norm of λ = 0.1266, the proportional and integral gains are given by:

•
The descriptor observer: For an H ∞ criterion ofγ = 0.0377 with a L 2 gain norm ofλ = 0.0811, the descriptor gain is given by: